Keynote - Matt Broomhall & Richard DeVere

so the talk who the [ __ ] is Richard DEA apologies and I'm Richard De okay and one of us should know hopefully I know Matt does um absolute true story I'm not sure if anyone's seen Faro I'm not sure if we've seen that that series on Netflix really good series but this is a true story unlike Fargo found out by the way they tell you for six seasons it is a true story and it's not which was a bit disappointing but this is and Main protagonists obviously me and Matt I want to just make something clear that the talk isn't about me it's not about Richard DEA and who is Richard dea it's more of a I'm going to try and pop

forward a like a s deeper mean into this talk where it's about corporates versus hackers and I'm going to play the role of the hacker in this scenario and I think and I will be playing the of the corporate and mat plays the role of the corporate very well he does um but yeah the bottom line is very important there's a lot of people like me in this room um bit mischievous minded a bit hacker mentality is and there's a lot of people like Matt in the room and I think over the past few years definitely the last few decades that Gap has been minimized it's starting to become an amalgamation of one subset of people

rather than hackers versus corporates hackers now work in corporates and we adopted into that environment so that's the core of this talk and genuinely I feel it's because of people like mat that that's the scenario we're working now where hackers can go and get a job in a corporate and live a happy life so let's kick off Matt with this true story so be me I'm going to let you read this because no point of reading out a green screen all true gist of it is I started a cyber security company a long time ago with some good intentions um and you never end up imagining that you'll find yourself in these scenarios where you

find yourself when you start a business in the corner of your bedroom things escalate quite quickly um but yeah this was me start business grew up um the business organically grew and a big part of that business was smashing corporates to bits I reported talk talk to the Ico I reported the vulnerabilities with talk talk to talk talk I rang up CEOs of companies and told them their data is leaking online you've got three hours to fix it or I'm blogging about it I didn't care because I had a small company I was Untouchable in a way from a legal perspective I thought I was doing something very Valiant which will'll get on to in a minute but the gist of it is

my reputation grew to the point where the Met police give me a medal for fighting fraudsters for making people's lives hard and you feel obviously you're the good guy okay so yeah this is a story about one of my vulnerabilities and this is the way Matt comes in as well so I had a quite a successful blog the blog was the starting point for many news events including talk talk hit my blog a week before it hit the BBC other kind of companies that we reported and vulnerabilities we worked through were covered on the blog so part of researching through an ongoing blog was actively going out and texting what I'm writing about well I was doing a

Blog one day about Google Docs and TR boards and this is quite clearly where where me and Matt met I found some data it wasn't the end of the world it wasn't the biggest data in the world it wasn't you know big expose it wasn't Panama papers this was trivial data yeah and I wanted to report the data to the person as in you know the spirit of vulnerability disclosure we hackers kind of you know I'm a good guy or I think I am great hat at best and I wanted to report this to the company directly so I track them down with a polite email and we get a response from the company that I've reported it to as

well say that's Frank Frank is my boss um he's a very senior executive uh company that is a household name you would have heard of this company you've probably been a customer of these company um it's a company that holds lots of personal data it's a company that has lots of physical infrastructure Transportation um accommodation uh big company and that is not how I remember this Richard that's how I remember it m it's these nice little polite emails that you that's what I remember it I've taken this email from my outbox from my scent box so I think you'll find it's quite true oh yeah this is how I remember it yeah I did also

send some messages on LinkedIn on Friday night as when yeah I did did ones I think as the week went by Richard got slightly more grumpy that he wasn't getting the speed of response from all of the senior corporate tives that he was reaching out to on do you remember what I said I contacted the CEOs I got the company I got them to look at their error and if they didn't fix it what I thought was a reasonable time frame of 24 hours they should be penalized okay they there's only several flavors of autism but times are times right so um yeah and I did later that night follow up with some people on Friday night

which was dedication on my behalf because these people were at work but I still was so sent them some LinkedIn messages telling them it's quite serious so I found that a little bit startling to to be honest so uh just to introduce myself um so I at at that time was an absolute rookie ceso um I just got my first ceso gig at this big corporate giant um I had a bit of knowledge not very much experience um my skin was all still completely smooth I have more scars now but then um there was not a scar on my body from from this new big job that I had got I knew what could happen if I got it wrong and how um

devastating that could be for both the company that I work for uh but also me personally uh I had a at that time a four-year-old child um a mortgage that I could barely afford um uh elderly parents on both sides that with with with no hope of any inheritance and not financially secure um but things are going well um I've got this good job uh it's a job that lots of people in our industry aspire to get until Richard D pops into my DMs it was quite a good job as well by the way you should be proud of that it was quite a big company um so yeah I can 100% see this so I think Matt did some Googling

at this point Didn't you this is what I call ENT yeah officially ENT on to the Google Docs as well there some stars there if you can break the code and you're under 18 I'm sorry um so and and and the more I Googled and the more I clicked the more I found yeah so Mt obviously found some of my previous work where I'd previously threaten talk talk to come clean with what they were covering up and they pushed Ido out to the Press um obviously again I wasn't paid for this work so it just shows my commitment to the industry and doing the right thing really for all of us and just pushing corporates into

the spotlight where they need to be sometimes um yeah the share price I think fell 85 million pound in one day the CEO resigned the CEO resigned yeah one of the biggest mess ups in the world but it did make me feel a little bit sick when I was reporting issues to talk talk at lunchtime I went to my mom's house that afternoon she's I was got World Service on the radio and you go in M good issue and then next up talk talk is suffering a large Cyber attack and you think oh that makes you feel a little bit sick so you sit down some of these events were quite catastrophic um such as finding malware before hackers

did uh long story short I'll save you from the ins and outs talk talk Li on a parliamentary inquiry but anyway who needs to know that so they got a fine because I rang up the Ico and I said look I found this data they've being mischievous with it and they ended up finding them the largest fine that's well since not much of a not much of a bottom line to be honest but still quite the largest fine ever issued BL so I was reading all this the talk talk um incident had only very recently been in the Press I I was very aware of it and and now I'm sweating now I'm starting to

sweat it's not just that phot that made him do it either cuz they made me stand in front of a graffiti riddle shutter to make me appear a bit more urban which really nice one of the several photos of that spread does actually have the words top in graffi um so not good but yeah again this is an article that mat probably stumbled against um you know declaring my hatred of cyber crime and my dedication I was one man from a council state in in Black in West Yorkshire trying to resolve a whole industry's problems and I was prepared to do whatever it took I think if IID found this one I would have been a bit

more relaxed uh but I was a bit too focused on the talk talk thing to be honest with you yeah I'm sure there's other things as part of any aspiring young business owner you try and work with the media to propel your ideas and what your business does I couldn't afford a marketing team I couldn't afford PR companies so I worked with media Outlook such as Vice you know said I'm a nice guy um I can take over your life with with your phone number and that's all nice and true now I don't want to speak to him on the phone yeah there's other work that I've done which again High highlighting people's problems with corporates and trying to

trying to get to the bottom the time where Sage hid a data breach um didn't stay along like it didn't stay hidden for very long so end up on the financial times and these are proud moments for me when I look back at my career and think of the things that I've done and the adversity I've crossed to get these stories in the Press by the years and we've we've I am in proper panic mode at this stage um I'm thinking that these are the lines that are going to be facing my company in the next few days based on whatever was about to be revealed to me once I finally found out who the f Richard D really was yeah I

can definitely see how it looks I mean the headline breaking Twitter and all the rest of it um there's definitely let's just say there's a track record for my behavior online as it was um I think this ended in this moment didn't it for Matt yeah eventually I thought right who is this person what do they want what are their demands and I demanded that uh we get him on on a phone call uh so that I could find out exactly what he wanted now I wasn't expected any of this to be honest normally most companies they either say go away or we'll sue you or just go away some sometimes the majority of the

answers is not to respond which is the tip top legal advice that I'm giving most corporates um sometimes times just don't respond um but anyway they called this meeting so very formal I think it was on teams or something we joined the meeting and who was there in that meeting M was it just yourself in a quite c um no we we had we had a bunch of people from our security team um we were armed with all of our research now we were convinced that you're going to be asking for a large amount of money and I was prepared to beg uh that you did not uh post this data all over the Internet always nice to know right so in

this meeting it started very a bit casually we obviously being British we can get through even potential extortionist we can be polite for the first few seconds but very quickly the meeting came about with what are your demands I remember and I thought oh what are my demands right there you should have thought about that one before the have thought about it before the phone call to be fair yeah I didn't get a jet on the bag like the bag of money um my demands right oh let's think about this right I want you to go into trell and change the privacy settings to private and that's pretty much me done I'd be well happy if he did that

mate and I think it's about that point would it he had this this this punch line of the um the event was pretty much it left me with this feeling in my mouth am I am I the bad I think we've all heard the terrorism freedom fighter you know one man's terrorism is another man's Freedom fight and I think sometimes by doing what I was doing for the good of people for the good of the public against the corporates I think sometimes you can kid yourself a little bit for lack of a better word that we're doing a valiant thing and when you're doing Valiant things nothing should stop in your way and if it does they're bad

right I found it not to be that case bit of a deeper moment for this really um where kind of I didn't see the other side of the fence I think we met we met for a beer in some Posh um London base Pub just a standard London pub it was just a standard when you from Yorkshire they had beer and everything clean glasses they had clean glasses and be Mas it's po my my neck of the on yeah but I think the the true punch line come around in that casual conversation behind the scenes I'm reporting an issue to a large corporate up in the foot the you know the footy 100 company I'm thinking we should be on top

of this you you're bigger than me I'm in my bedroom here we'll try to earn a living uh you're the corporates and I didn't see honestly I didn't have any idea of the people behind the scene at corporates because I'm I deluded myself with us versus them too much yeah we we ended up having a pretty long and deep and meaningful chat didn't we and and I think what what what what we learned as we had that conversation over a few beers is that one that we had a lot more in common than we thought we thought we did we we' both in our own different ways uh committed our our life uh to fighting cyber crime um which um very

different ways but both require a sort of big commitment and much more importantly we're both just human beings not normal people too with all of the problems and challenges and joy and everything that comes with with just being a person um good advert for of there I'm not sure if the paid for sponsorship today I think we'll just put them on the Platinum package all the way there we go really timely though was that a mistake I get more skeptical as the years go on probably not probably realized you've been presenting for 20 minutes um this deeper meaning for me made me change a lot L about how I work um and how I reported stuff I think some

some big takeaways for me is I I don't see myself as a bully first of all I might look like one but I'm not a bully mentality and I think I could quite clearly see that I bullied someone I made them do something I used Force which I thought was Valiant effort and the other side of the fence you see a real impact a person worries about his family and his livelihood right and I've cause that impact so it made me like it made me change how I report security vulnerabilities immediately went back home added a page on the website so now when I reported of unability to a company that could at least ignore me

with the prior knowledge of knowing what I was about of my intentions that I don't want any money because youve not conducted you've not asked me to do this work therefore I'm not going to demand a payment and I'm ethical um I work with the police and I'm not going to try and exort you so made it very clear for people I think that was a a big learning point yeah and and I and I changed too so so what um what Richard educated me about which I hadn't really fully appreciated was that that there has maybe historically been somewhat of a divide between corporate security people and the security research Community uh people that don't particularly fit into

that more traditional corporate uh way of living a life and yet the there are a whole population of people that are interest Ed in cyber interesting in fighting cyber crime um often very independent in in nature and that if if we can work out how to build some bridges uh between those two different communities actually we're all on the same side I think that's what's good about bsides and you know we see we see the corporate sponsors and I think 15 years ago that' have been a bit of but they're paying for the sandwiches we'll let them in but I think nowadays we see the corporate sponsors as something that's critical it's essential to part of

bsides it always has been it's always propagated that Independence right to to be bsides so there's obviously some benefit to working with corporates I know everyone that's a bit of a hacker in this audience probably has or has aspirations to go into some kind of corporate role in essence uh as part of the blue team fight as as as you know part of that side of the fence um I think we can still learn massive um swap of information from both sides of the fence I think we can learn professionalism from corporates I think we can learn how to conduct ourselves better um this sometimes personally I'm talking for but go I'll speak for most hackers there

is an air of autism as well sometimes I think that's sometimes hard to to work with especially with a corporate um face um and I think on that side of the fence as well you know being able to implement security txts and make things easier makes their job easier as well yeah well since since that since that uh deep and meaningful in that club Richard and I have worked together on implementing responsible disclosure programs at two big corporates now um and if you'll still speak to me uh when I whenever I get my next job um we'll probably do the same again um because I think uh you know this is a a fantastic way of

creating a communication Channel um that that is much more productive uh than than the kind of I've got your data um me message on on LinkedIn yeah definitely so we wasn't going to answer any questions but we finish a little bit early if anyone's got any really quick questions put your hand up if not we'll just skip forward that's pretty much going to be awesome question go on J it in lot so you're the you're the security research in your corporate yeah um do you think Europe and the UK get anywhere like recently happened in the US with the um was it Financial or the SEC coming out with the law that like serious inance have to be reported for

them within 48 hours or so and there was recent think at the end of last year where a bad actor actually build out the forms and into thec it was about two weeks before the came into AC it's quite a Nuance question M that's quite a tough one you ready for it do you want to answer you go on if youut yeah so the so the regulatory environment um does tend to follow what what what happens in the US um and uh it's already the case that so I currently work in financial services which is not this company but I'm in financial services now it's already the case that we have to report to our

regulator within a set period of time which is which which is relatively short um the I think it's quite interesting what's happened with the SEC and solar winds it seems like um quite a bit of that has been overturned but that's going to be further appealed so I don't think we've quite seen how that one will fully play out um but as a seeso I think it is helpful to have greater accountability even if it is somewhat more scary um so that's what I mean we agree on to too much I I also agree on extra accountability for corporates believe it or not but it's the fact that you know in that similar situation in

the like in the UK common tactic of mine is this is the problem fix it or don't I've told the Ico you've got 48 Hours by the way so I'll probably ring them as well you know you make contact now and it's kind of it's always nice having that backup from a regulatory or you know compliance or a legal point of view I think I think on on on on responsible disclosure I think it is worth the effort for taking some time to try and alert the company um in in a friendly and polite way but but if you get like that complete sort of go away speak to the lawyers then go ahead put

it to the regulat it's a free world any more questions or should we move on so I work in open source a lot and obviously here we've got clear accountability between corporations and people finding issues right um if you got open source projects the accountability isn't always there less for projects in Foundation be do but if you are a hacker and you find an issue with a project that say dependency lots and lots of things yeah what's the approach you say then because you can't really contact someone right how how would you deal with that sometimes it's the greater good angle if you found a big problem in in a big open source project I think too many

especially younger hackers see in a value a bit like myself you know a bit younger a bit more Valiant thinking this is the right thing to do they want to push that out to the Press right they want to get the in a way some quidd Pro some kudos for that find um I think sometimes people are a bit Hasty to do that and don't think of the bigger picture you know if you've got if you've got hospitals also using that software or if you've got government agencies big companies using that sometimes there a bigger risk and I think there's a there's a pretty much a standardized well there's definitely an ISO framework for reporting vulnerabilities to make

just to B everyone to death if you've completely lost your appetite for finding anything fun um there is an ISO framework for reporting stuff there's also a very common sense angle as well where you'd report something to that uh GitHub person to that you know open source Reaper whatever that may be and then giving them some time and just again remembering they are people um and just seeing that the bigger thing if you think that impacts larger systems there's definitely things like the ncfc and I think once you've reported to the ncfc I think a lot of people should just relax a little bit it's not your we're not Batman you know we're not there to

like cyber police and everything yeah got be a middle ground so if there's no more questions if anyone's got any no you got one here oh got sorry I keep on assuming there's none you mention about the breaking breaking the barriers down how how deep do you think that barrier is between you know one side of the Pence and the other again that's a phrase apprciate think that barrier is still quite High between the kind of hacker world and the corporate world is thaten down I I I think it might depend on the experience of the seeso in question so at at that time that Richard tried to report this I hadn't really heard of

responsible disclosure when I say I was a rookie ceso um I was a rookie ceso so this was the first time this had happened and and and so my initial reaction was a kind of very emotional and panicked one and and it took a little while of speak before I spoke to Richard that I realized that he was approaching us with the best of intentions um but you know it's one of the reasons why we've been talking about doing this talk for quite a long time is that I think it starts with dialogue like this um so and just get getting the message out and you know I speak to my my other ceso friends that that I have

we all sort of speak and talk about responsible disclosure to them um the problem tends to be actually when law if the lawyers at your company get wind of it um which is the again the advantage of having a proper responsible disclosure process uh because if it happens to get to the lawyers they tend to get a bit more sort of right who who is this person and sometimes they start telling you what to do rather than asking what we should do yeah I think that um that train with lawyers is sometimes I think Million Miles Away I do think there people in this room that se those that come to be sides as well

generally I think the Gap is closing you think back at you know hackers of the 1980 being called up to Congress to testifying I me to wear suits for the first time in their life you know absolute Renegade hackers um being this Counter Culture I think that was a big part of haer culture like 80s 90s um becoming part of mainstream culture now where we see TV series you know long time since Mr Robot but it's a case of it's becoming more um common place for people to like as like like right at the start where I said that Gap is growing smaller because there's a lot more hackers that are growing and flourishing with you know kind of corporate

environments which if you said to me as a teenager that would be the case I'd have laughed but here we are and I think it's it's a it's a closing Gap I think there is a lot more to go um but there's variations of Caesar there's variations of hackers as well I think that's a key point you know I'm very traditional um created a company called antisocial engineer for God's sake so it gives you an idea about me um I was banned from school I was expelled from you know everywhere where I've had a computer basically um and very much like a cat B I not sure if anyone's come across cat B but like a cat be Manifesto packing the

I read that years ago and just loved it I think that was me that was my mentality I do think it's got a bit where like a lot more to go because unfortunately many people in Matt's role might be cool but they have to then by you know by the rules of their company turn to the legal department and I think that can be a real that can be a real downward spiral negotiation stops there the cool there's a problem trying and fix it mate normally ends there because you can't Converse on that level so and it's also quite dting as well for a lot of small business owners getting contacted um by legal companies who seas

and assists and stuff like that so yeah it's also probably worth understanding and I don't want to get a tiny violin out here it's a it's a very very hard job um because hacking hacking's hard both are hard right all stuff stay up for night stay on The Cutting Edge of everything to contest it I I'll explain why it's hard so the the company in question that we were sort of talking about here 40,000 people um any one of those 40,000 people could make a mistake whether it be setting up a Trello board to manage a process and not realizing that that's something that they shouldn't do and they certainly shouldn't put customer data in there or clicking a fishing

email or taking a call and and do you I mean any one of the 40,00 people can just make a mistake and as and as the ceso you might be able to spot that the mistake has been made um but you might well not and in this case we had no idea that that Trello board had been there what had happened is that a small business unit in another country had set this up to run a local process because they thought that was quick and easy they were probably using Trello at home to manage their shopping list and how they do know manage household tasks it was very organized to be um so so but but you know they they they

stuck customer data into it um and I wouldn't have spotted it if not for Richard so I think my closing remark for today then is if you would ow yourself and I'm not going to start labeling people I think that's very anti-hacker but if you know yourself you're a bit of a nerd you're a bit of a hacker if you're a bit feral if you've questioned paying the TV license more than once you're definitely in that category right we know we have we don't even watch live TV why are we paying this it's crazy um if you're in that camp try and find someone today in a suit or someone a little bit corporate and again if you're

a little bit corporate and you know you are because you know you just know you are you find yourself a little kid with a hood and you get talking because I think there's a lot more to uh to get out of that conversation right thanks time to

thank you very much right so the next talk are start at 9:45 that's where we start splitting things up so see blue the purple staying here we got red top blue downstairs and the all the sponsors are now fully set up the workshops are also starting so we got the payment Village and all that lockpicking Village also our sticker stalls looking very very not busy please go upstairs remember all the money goes towards charity it's a local charity which really weird my accent but hly I live down here so it's fine um and I know I know we got money especially ones who work with me you know who I'm looking at don't start putting fingers

at me that's naughty professionalism we had earlier professionalism so thank you very much everybody thank you to the Keynotes speak to you soon